Embed Size (px)
Citation preview
Computer Forensics
Index
1. Introduction 4
2. History of Computer Forensics 5-6
3. What is Computer Forensics 7-8
4. Goal of Computer Forensics 8
5. Digital Evidence 9-10
6. Advantages & Disadvantages of Computer Forensics 11
7. Applications of Computer Forensics 12
8. Conclusion 13
9. References 14
Figures Index:
Fig 1: Federal bureau of investigation logo 5
Fig 2: DNA Evidence 9
Fig 3: Crime Evidence 10
Fig 4: Equipments used for Digital evidence 10
Introduction
Computer forensics (sometimes known as computer forensic science) is a branch of digital
forensic science pertaining to legal evidence found in computers and digital storage media. It is
a Scientific process of preserving, identifying, extracting, documenting, and interpreting data on
computer. Although it is most often associated with the investigation of a wide variety of
computer crime, computer forensics may also be used in civil proceedings. The discipline
involves similar techniques and principles to data recovery, but with additional guidelines and
practices designed to create a legal audit trail. Evidence from computer forensics investigations
is usually subjected to the same guidelines and practices of other digital evidence. It has been
used in a number of high profile cases and is becoming widely accepted as reliable within US
and European court systems.
Forensics deals primarily with the recovery and analysis of the latent evidence.Latent evidence
can take many forms,from fingerprints left on a window to DNA evidence recovered from blood
stains to the files on a hard drive.It is the discipline that combines elements of law and computer
science to collect and analyze data from computer systems,networks,wireless communications,
and storage devices in a way that is admissible as evidence in a court of law.
It is the science was created to address the specific and articulated needs of law enforcement to
make the most of this new form of electronic evidence .With the average storage capacity in a
personally owned microcomputer approaching 30 gigabytes.
Computer Forensics has become a vital role in providing evidence in cases such as computer
misuse and attacks against computer systems as well as more traditional crimes such as
murder, money laundering,drugs,abuse and fraud.
History of Computer Forensics
The field of computer forensics began in the 1980s, shortly after personal computers became a
viable option for consumers. In 1984, an FBI program was created. Known for a time as the
Magnetic Media Program, it is now known as the Computer Analysis and Response Team
(CART). Shortly thereafter, the man who is credited with being "the father of computer
forensics" began work in this field. His name was Michael Anderson, and he was a special
agent with the criminal investigation division of the IRS. Anderson worked for the government in
this capacity until the mid 1990s, after which he founded New Technologies, Inc., a leading
computer forensics firm.
A meeting held in 1988 in Oregon led to the formation of the IACIS (International Association of
Computer Investigative Specialists). Shortly after that, the first classes were held to train
SCERS (Seized Computer Evidence Recovery Specialists).
Computer Forensic Timeline
1970s-First crimes cases involving computers, mainly financial fraud
1980’s -Financial investigators and courts realize that in some cases all the records and
evidences were only on computers.
1984-FBI Magnetic Media Program created. Later it become Computer Analysis and Response
Team (CART)
FBI(FEDERAL BUREAU INVESTIGATION) LOGO
1987 Acces Data – Cyber Forensic Company formed
1988-Creation of IACIS, the International Association of Computer Investigative Specialists First
Seized Computer Evidence Recovery Specialists (SCERS) classes held.
1993- First International Conference on Computer Evidence held
1995- International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained
and equipped to address high-tech crimes”.
1998-In March G8 appointed IICE to create international principles, guidelines and procedures
relating to digital evidence
1998- INTERPOL Forensic Science Symposium
1999-FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000-First FBI Regional Computer Forensic Laboratory established
2003-FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
What is Computer Forensics
Computer forensics, also called cyberforensics, is the application of computer investigation and
analysis techniques to gather evidence suitable for presentation in a court of law. The goal of
computer forensics is to perform a structured investigation while maintaining a documented
chain of evidence to find out exactly what happened on a computer and who was responsible
for it.
Forensic investigators typically follow a standard set of procedures: After physically isolating the
computer in question to make sure it cannot be accidentally contaminated, investigators make a
digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe
or other secure storage facility to maintain its pristine condition. All investigation is done on the
digital copy.Investigators use a variety of techniques and proprietary forensic applications to
examine the hard drive copy, searching hidden folders and unallocated disk space for copies of
deleted, encrypted, or damaged files. Any evidence found on the digital copy is carefully
documented in a "finding report" and verified with the original in preparation for legal
proceedings that involve discovery, depositions, or actual litigation.
Computer forensics has become its own area of scientific expertise, with accompanying
coursework and certification.
In the field of computer forensics, crucial data can be gathered from dozens of sources. These
sources may include computer messaging, e-mails, the Internet, tapes, CDs, disks, or printouts
made by a specific computer. The proper collection and analysis of computer evidence through
accepted computer forensic protocols is a critical component to any internal investigation or
audit. Evidence can be sought in a wide range of computer incidents, including but not limited
to:
Theft of Company Secrets (client, customer or employee lists)
Employee Sabotage or Terrorism
Credit Card Fraud
Financial Crimes
Embezzlement (money or information)
Economic Crimes
Harassment (sexual)
Child Pornography
Major Crimes
Identity Theft (short or long-term plans)
Simply stated, computer forensics can be used to investigate any crime or incident directly or
indirectly related to a computer.
Goal of Computer Forensics
Evidence Collection: Evidence refers to anything that can be collected from the system under
investigation by a computer forensics expert. Prior to performing any kind of analysis of sources
of digital evidence, it is necessary to uncover all hidden or deleted data. ERM can help with the
collection and preservation of evidence while at the same time avoiding unwanted data loss. A
“chain of custody” ensures that the integrity of the evidence is not compromised. The
methodology that our computer forensic experts use ensures that it is not possible to overwrite
the evidence collected.
Analysis: This is the phase where the real investigation takes place. The data identified and
collected previously will be scrutinized utilizing specialized computer forensic tools and
techniques. The focus will be on the creation of a timeline that pieces together the sequence of
events and also on the study of internal attributes and format of data in order to gather any kind
of information that will help in the investigation. The analysis phase is complex and time
consuming but forms the most crucial phase of any investigation.
Reporting: Upon completion of the Analysis phase, all findings will be documented and reported
in a format that can be understood by all. In most cases, since members of the management will
be the recipients of the report, a clear and simple description of the incident, its consequences
and recommendations will be provided.
Digital Evidence
Digital evidence or electronic evidence is any probative information stored or transmitted in
digital form that a party to a court case may use at trial.[1] Before accepting digital evidence a
court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and
whether a copy is acceptable or the original is required.
The use of digital evidence has increased in the past few decades as courts have allowed the
use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant
message histories, files saved from accounting programs, spreadsheets, internet browser
histories, databases, the contents of computer memory, computer backups, computer printouts,
Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or
audio files.Many courts in the United States have applied the Federal Rules of Evidence to
digital evidence in a similar way to traditional documents, although some have noted
important[according to whom?] differences. For example, that digital evidence tends to be more
voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more
expressive, and more readily available. As such, some courts have sometimes treated digital
evidence differently for purposes of authentication, hearsay, the best evidence rule, and
privilege. In December 2006, strict new rules were enacted within the Federal Rules of Civil
Procedure requiring the preservation and disclosure of electronically stored evidence. Digital
evidence is often attacked for its authenticity due to the ease with which it can be modified,
although courts are beginning to reject this argument without proof of tampering.
CATEGORIES OF EVIDENCE:
Fig2: DNA Evidence
Fig 3: Crime Evidence
EQUIPMENTS USED FOR DIGITAL EVIDENCE:
Advantages and Disadvantages of Computer Forensics
Advantages:
Ability to search through a massive amount of data
Quickly
Thoroughly
In any language
Disadvantages:
must prove that there is no tampering
all evidence must be fully accounted for
computer forensic specialists must have complete knowledge of legal requirements, evidence handling and storage and documentation procedures
Applications of Computer Forensics
Criminal
Computer forensics is popularly used in criminal cases. Computer forensics analysis may provide evidence that a crime has been committed, whether that crime involved computers directly or not. Evidence may be in the form of a document, an email, an instant message, a chat room or a photograph. This is seen frequently in narcotics cases, stalking, sexual harassment, sexual exploitation, extortion, kidnapping and even murder cases.
Domestic
Computer forensics also frequently plays a role in domestic cases and is generally centered on proof of infidelity. Examples include recovered emails, chat room transcripts, instant messaging and photographs.
Security
The Center for Computer Forensics reports that 92 percent of all business documents and records are stored digitally and that although hackers are commonly seen as a threat to security, in reality greater risks are found within a company. Examples include theft of intellectual property (such as customer lists, new designs, company financials or trade secrets) and embezzlement. The fact is that if a person is alone with a computer for less than five minutes, it is enough time to copy a hard drive on a removable storage device.
Marketing
Computer forensics is also used in marketing. Examples of this can be seen on Amazon.com when recommendations are provided, or "Just for you" from the iTunes Store. When a person visits a website, a memory of that website is placed in the computer's memory. Each site has different meta-tags embedded in it; meta-tags are one or two word descriptions of the site content. The advertisements that person experiences are tailored to the meta-tags of the sites visited, similar to a target demographic.
Conclusion
Hence, by this technology of computer forensics, crime cases can be solved very easily within a very short time span and the accused is easily caught by the sure shot evidences. The reasons behind the crime scene can be easily determined and solved in various situations and scenarios.
In law, if information is not admitted into evidence, then, for legal purposes, it does not exist. Testimony by both the forensic specialist who developed the evidence and someone who can explain it’s significance to the case is often required. Only then does the information become evidence. It should be clear from the above that technical skills and legal expertise must be combined in order to discover, develop and utilize digital evidence. The process used must conform to both the law and science. Failure in either arena, renders the product legally worthless
The preceding has been based on the use of computer forensics to exploit stored digital information. Certainly, this need will grow dramatically in the future, as more and more of society's information are stored electronically. However, a potentially even larger use may be to document activities and processes that take place electronically. In other words, to examine data that is not only at rest, but also that which is in motion. And while the law will slowly evolve and accept more and more technical issues, computer forensic specialists will continue the process of education for all parties in the legal process.
References
Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2005.
N. Brownlee and E. Guttman, , “RFC 2350 - Expectations for Computer Security Incident Response,” http://www.faqs.org/rfcs/rfc2350.html, 1998.
Mariusz Burdach, “Forensic Analysis of a Live Linux System, Part One,” http://www.securityfocus.com/infocus/1769, March 2004.
Mariusz Burdach, “Forensic Analysis of a Live Linux System, Part Two,” http://www.securityfocus.com/infocus/1773, April 2004.
